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Introduction 


e Risk Assessment methodology used was built upon Sarbanes-Oxley 
internal control assessments performed at publicly traded companies. 


e SoxLite at the CTA resulted from concerns of departmental 
reorganizations and downsizing of staff. 


e Initiative is best-in-class for governmental agencies . 
e CTA Project sponsors: 

e VP Comptroller 

e Inspector General 


e Weekly project oversight meetings held with Project Sponsors and 
Finance and OIG staff. 


e Objective of the project was to: 
e Document approximately 50 key processes and related controls, 
e Identify weaknesses and opportunities for improvement, 
e Develop recommendations and monitor remediation, and 
e Set up a repeatable process for ongoing maintenance of documentation. 
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Documentation and Design Approach ota 


e Interview each of the key process owners and staff 


e Develop Process Flowcharts and Control Narratives 


e Corroborate matrix mapping Controls to Risks 


e Identify Key Controls 


Who performs the control, 


When they perform the control (daily, weekly, monthly, quarterly, 
annual), 


How they perform the control (specifies), 
Where and how they evidence performance (specifies), and 


What's the control operation (automated or manual). 


e Disseminate Internal Control Weaknesses 


e Formulate Remediation and Best Practice Recommendations 
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Assessment of Internal Control Design Weaknesses 


e The Internal Control Design Weaknesses identified were 
evaluated and prioritized based upon potential operational or 
financial impact and likelihood of the risk: 


e High (22) - operational or financial impact that seriously impairs ability to 
achieve business objectives. 


e Moderate (54) - operational or financial impact that would significantly 
affect, but not seriously impair ability to achieve business objectives. 


e Low (96) - operational or financial impact that would not significantly affect 
ability to achieve business objectives. 


e Based on the CTA risk assessment, the overall risk is low for 
financial processes and is moderate for operational processes. 
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Design Control Weakness Analysis 


These process level risk takes into consideration the existing controls for each process as well 


as the associated control weaknesses. Fourteen CTA areas were rated with high control 
weaknesses, thirteen with moderate and twenty-one with low control weaknesses. 


Department 
Law 


Process 
Workers Compensation 


L 


Total Risk 


ye) 


Claims Management 


oa 


Planning 


Service Planning & Scheduling 


Marketing 


Construction 


Construction 


Operations 


Workforce Mgmt - Rail Operations 


Workforce Mgmt - Bus Operations 


Workforce Mgmt - Rail Maintenance 


Process 
Database of Fare Revenue Data 


L 


Total Risk 


Software Acceptance Testing 


Firmware Testing 


Maintenance of Fare Revenue Equipment 


ERP Security 


Network Change Control 


Oversight of SDI 


Workforce Mgmt - Bus Maintenance 


Maintenance Management System 


Power and Way 


Workforce Mgmt & Timekeeping 


Facilities 


Workforce Mgmt & Timekeeping 


Control Center 


Control Center 


Real Estate 


Real Estate 


Financial Close Process 


Accounts Receivable 


Accounts Payable 


Grants 


Property 


Payroll 


Purchasing 
& Warehousing 


Procurement Process 


Inventory Management 


Vendor Management 


Construction Contract Payments 


Human 
Resources 


Benefits Management 


Payrate changes/Compensation 


Personnel Evaluations 


Recruitment 


Investments/Cash Management 


Fare Collections 


Currency Counting 


Fare Media Production 


Fare Media Distribution 


Fuel Hedging 


Chicago Card database management 


Credit Card Processing 


Safety 


Excempt Employees Discipline 


CTA Policies & Procedures 


Construction Oversight 


Operation Safety Inspections 
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Communications 


Communications 


High (H) 22 13% 
Moderate (M) 54 31% 
Low (L) 96 56% 
Total 
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Key Issues Identified 


e Inventory 

e Planning 

e Workforce Management and Timekeeping 

e Marketing 

e Credit Card Processing 

e Real Estate 

e Service Planning and Scheduling 

e Maintenance Management Information Systems 
e Technology 
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CTA Practical Control Environment Plan 


Long Term (2-3 Yrs) 


Seer 
Short Term (1 Yr 
— Holistic Program 
* All processes inclusive 
* Cross-Departmental Controls 
* Enterprise Risk Management 
A * Standardize processes 
Evaluate Operating - Entity Level Controls 
Effectiveness 


* Periodic testing 


¢ Self assessments 
Document & * Prioritize controls 


Evaluate Process + Expand to other processes 
Design 

« Process Documentation 

¢ Risk and Control Matrices 

¢ Design Evaluation & Remediation 
* Assess and prioritize risk 


Value of 
Program 


Time 
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CTA Key Take-Aways 


e Inherent weaknesses at the CTA were identified. 
e Strengthened internal control structure. 


e Internal control annual revalidation by the departments are 
in place. 


e Increased internal control awareness throughout the 
organization. 
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Crowe Summary 


e Foundation for internal controls has been set. 
e Tone-at-the-Top is important toward moving up the curve. 


e CTA’s control structure maturity mirrored that of other large complex 
organizations. 


e CTA is ahead of the curve compared to other governmental organizations, but there is 
considerable room for improvement compared to public companies. 
e Inherent silo mentality poses a challenge to strengthening overall control environment. 


e Process owners in took the opportunity to address existing issues and 
change post inherited practices. 


e A formal process has been set up for each department to monitor and 
update their process controls annually. 


e OIG and Finance will continue monitoring the remediation of internal 
control weaknesses. 


e Recommendation by CTA Sponsors to continue with Phase II - 
Expanding departments covered and testing of controls. 
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